A Core Remote Code Execution Vulnerability (CVE-2015-8562) in the popular content management system (CMS) Joomla! was recently discovered. The vulnerability affects all versions of Joomla! prior to 3.4.6, and while updating the CMS to the latest version will patch the bug, there are still plenty of unpatched targets out there and Symantec has observed attackers actively scanning for and attacking vulnerable servers.

With over 50 million downloads Joomla! is one of the most widely used content management platforms and is used by some very popular websites, meaning the vulnerability potentially puts millions of users at risk. In an attack scenario, an attacker can use this vulnerability to execute commands on the server, tamper with the website or database contents, host malware on the server, or even redirect visitors to other malicious websites.

How attackers find and exploit vulnerable servers
The exploit code is relatively easy to deploy and doesn’t require much skill, all that is needed is a single HTTP request. According to our telemetry, the methods attackers are using to scan for vulnerable versions of Joomla! is similar to methods we covered in a recent blog on an RCE vulnerability in the vBulletin platform. Attackers are scanning for servers running vulnerable versions of Joomla! by attempting to call a phpinfo() function or printing out an MD5 of a predetermined value. As with the vBulletin RCE exploit attacks, it is likely attackers are scanning and documenting vulnerable web servers for exploitation at a later time.

Let’s take a look at how attackers are doing this.

In one method used by attackers, if the targeted server is vulnerable, the MD5 hash for the value 233333 is printed in the response sent by the server.

Figure 1. MD5 hash printed in the server response

Another method involves the attacker attempting to execute the eval(char()) function and waiting for any output from the die(pi()); function in the response. If this response is received it tells the attacker that the server is vulnerable.

Figure 2. Server response from eval(char()) function

System administrators can look for the methods described previously as possible indicators of attack (IoA) or indicators of compromise (IoC). By examining web access logs, administrators can look for the requests and, if found, compare the time they were made to the time the server was patched to determine if the system was likely to have been breached.

Malicious script injection
Once a system is found to be vulnerable, the attackers can then proceed to the main attack. This usually involves the installation of a back door to enable the attackers to gain full access to the compromised computer.

The section of code shown in Figure 3 is part of an encoded PHP back door which is used against vulnerable Joomla! servers. Once the back door is established on the server, the attacker can execute commands, tamper with websites hosted on the server, or upload and download files at will.